There are many block explorers that offer this service publicly, they are based on this explorer:

github.com/etherparty/explorer

I tried to use it, but to make it work (so my users could explore blocks of our private net) I have to open RPC port for everyone using --rpccorsdomain "*", and bind RPC port to an external network interface. AFAIK this is very insecure, and exposing such a complex API may lead to a remote exploit somehow, probably. Setting up proxies from nginx and stuff like that also won't work, because the request to RPC is made from the browser of the client, and the client is located somewhere on the internet.

So my question is , how do this people configure their block explorer in a secure manner? I would also like to offer a public block explorer for my net but I don't want to be hacked.